40 lines
1.4 KiB
HCL
40 lines
1.4 KiB
HCL
#
|
|
# Warning: This file contains terraform that will lead to secrets being stored in the terraform state file unencrypted. It is not suitable for a production deploy, but since this is a test/experiment, the additional automation outweighed the potential risk.
|
|
#
|
|
|
|
resource "tls_private_key" "jwt_private_key" {
|
|
algorithm = "RSA"
|
|
rsa_bits = 2048
|
|
}
|
|
|
|
resource "google_secret_manager_secret" "jwt_private_key" {
|
|
project = google_project.project.project_id
|
|
secret_id = "jwt-private-key"
|
|
|
|
replication {
|
|
auto {}
|
|
}
|
|
|
|
depends_on = [google_project_service.service["secretmanager"], ]
|
|
}
|
|
|
|
|
|
resource "google_secret_manager_secret_version" "jwt_private_key" {
|
|
secret = google_secret_manager_secret.jwt_private_key.id
|
|
|
|
secret_data = tls_private_key.jwt_private_key.private_key_pem
|
|
}
|
|
|
|
resource "google_secret_manager_secret_iam_member" "member" {
|
|
project = google_secret_manager_secret.jwt_private_key.project
|
|
secret_id = google_secret_manager_secret.jwt_private_key.secret_id
|
|
role = "roles/secretmanager.secretAccessor"
|
|
member = "serviceAccount:${google_project.project.number}-compute@developer.gserviceaccount.com"
|
|
# TODO: This should probably be using a service account specific to the cloud run service instead of the compute service agent.
|
|
}
|
|
|
|
output "jwt_private_key" {
|
|
value = tls_private_key.jwt_private_key.private_key_pem
|
|
sensitive = true
|
|
}
|